CVE-2026-32604

CRITICAL LAB

Spinnaker vulnerable to RCE when using gitrepo artifact types due to improper sanitization of user input on branch and paths

Title source: cna

Exploitation Summary

EIP tracks 1 public exploit for CVE-2026-32604. PoCs published by ZeroPathAI.

AI-analyzed exploit summary This repository contains functional exploit code for CVE-2026-32604, demonstrating a Git clone shell injection vulnerability in Spinnaker's Clouddriver service. The PoC leverages unsanitized branch names in artifact fetch requests to achieve remote code execution.

Description

Spinnaker is an open source, multi-cloud continuous delivery platform. In versions prior to 2026.1.0, 2026.0.1, 2025.4.2, and 2025.3.2, a bad actor can execute arbitrary commands very simply on the clouddriver pods. This can expose credentials, remove files, or inject resources easily. Versions 2026.1.0, 2026.0.1, 2025.4.2, and 2025.3.2 contain a patch. As a workaround, disable the gitrepo artifact types.

Exploits (1)

nomisec WORKING POC

by ZeroPathAI · poc

https://github.com/ZeroPathAI/spinnaker-poc

View Code ZIP pw:eip

This repository contains functional exploit code for CVE-2026-32604, demonstrating a Git clone shell injection vulnerability in Spinnaker's Clouddriver service. The PoC leverages unsanitized branch names in artifact fetch requests to achieve remote code execution.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: Spinnaker Clouddriver

Auth required

Prerequisites: Docker · Git · Python 3.10+ · uv · authenticated access to Spinnaker Gate or direct access to Clouddriver

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1059 - Command and Scripting Interpreter T1203 - Exploitation for Client Execution

devstral-2 · analyzed Apr 22, 2026 Full analysis →

References (5)

Core 5

Core References

X_Refsource_Confirm x_refsource_confirm

https://github.com/spinnaker/spinnaker/security/advisories/GHSA-x3j7-7pgj-h87r

X_Refsource_Misc x_refsource_misc

https://github.com/spinnaker/spinnaker/releases/tag/spinnaker-release-2025.3.2

X_Refsource_Misc x_refsource_misc

https://github.com/spinnaker/spinnaker/releases/tag/spinnaker-release-2025.4.2

X_Refsource_Misc x_refsource_misc

https://github.com/spinnaker/spinnaker/releases/tag/spinnaker-release-2026.0.1

Various Sources

https://zeropath.com/blog/spinnaker-rce-production-compromise

Scores

CVSS v3 9.9

EPSS 0.0009

EPSS Percentile 26.3%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact total

Lab Environment

COMMUNITY

Community Lab

docker pull spinnaker-base:local

docker pull minio/minio:latest

docker pull minio/mc:latest

docker pull osixia/openldap:1.5.0

docker pull docker.elastic.co/elasticsearch/elasticsearch:7.17.15

https://github.com/ZeroPathAI/spinnaker-poc

View in Library

Details

CWE

CWE-20

Status published

Products (6)

io.spinnaker.clouddriver/clouddriver-artifacts-gitrepo 0 - 2026.0.1Maven

linuxfoundation/spinnaker < 2025.3.2

spinnaker/spinnaker < 2025.3.2

spinnaker/spinnaker < 2025.4.2

spinnaker/spinnaker < 2026.0.1

spinnaker/spinnaker < 2026.1.0

Published Apr 20, 2026

Tracked Since Apr 21, 2026